Recently I have been trying to find out series of writes that come when
format is done at volume level.
However I wanted to filter out writes that come as a consequence of
FSCTL_DISMOUNT_VOLUME.
So I thought of putting a conditional bp on MJ_FS_CONTROL of ntfs for
condition if control code is FSCTL_DISMOUNT_VOLUME and then putting a bp on
completion handler.
This way I will know, after completion handler executed, all writes will be
for formatting purpose.
To put conditional breakpoint on Ntfs!NtfsFsdFileSystemControl, I am using
poi to get the stack variable, however I am not able to typecast (using
dynamic_cast) it (I did use C++ expression by prefixing whole exp with @@).
Can any1 help here?
If required I can post my conditional bp statement.
Regards
Deepak